URL shorteners are right under our eyes. You may have noticed how for a while now many of the links shared online, especially (but not exclusively) on social networks started to look like “http://tinyurl.com/SomethingSomething”. Replace tinyurl with goo.gl or bit.ly (where in both cases the included title turns into a code formed out of letters and numbers) and you have three common shortened URL versions.
Of course the brands above are not the only services that serve shortening long URLs – you may find here an updated list coming from still another similar service.
The practice of using embellished links pertains to the link-sharing modern culture – original longer links take more space, displease the eye and are harder to manipulate while sustaining various procedures, as emailing, for example. Some social networks even have word count limits that restrict the accepted length for a message-included URL.
Just to form an idea, the patent for the “associated shorthand link and URL” was filed in 2000, while 2009 marked the debut of Google’s dedicated service (goo.gl) and the launch of WordPress’s URL shortener (wp.me).
The mechanism employed in URL shorteners
As the above-mentioned patent mentioned, the URL shortener services assign a shorthand link (or a unique key) to each initial URL, and act as intermediaries by redirecting all requests for the shortened URL to the initial address. The redirections may be set as permanent or temporary, and some protocols are not available for shortening at all (as javascript: for example) since it would raise the cyber-security risk level.
The acceptance regime of URL shorteners differs from country to country or even from one website to another, but nevertheless this practice has made its way into mainstream.
The cyber-security risks of URL shorteners
The main cyber-security risks when employing URL shorteners would be:
- Being prone to abuse (abuse coming from spam authors and other malicious entities; hijacking the redirection process and making users end up on a completely different site is not an uncommon illicit practice against which users can employ the destination preview technique (e.g. for tinyurl: when prefixing the usual address with “preview” just before tinyrl.com, a safe destination display is provided); malware injection is also possible via hijacked shortened URLs;
- Facilitating user tracking and further privacy protection issues (the shortening services have the ability of tracking a user across various domains, and by using botnets, an attacker could actually search “the entire address space of shortened URLs in a day”.
Recently two Cornell Tech researchers documented how access control can be overridden using URL shorteners. The team gained unauthorized access to “hundreds of thousands of private documents”, according to Wired magazine.
Although they have not tested the malware injection scenario, the researchers confirmed this would be highly possible if the malicious entities used a synchronization service, such as Microsoft’s OneDrive. The malware could reach the user’s computer automatically in such a case.
The entire demo exploit focused on Google Maps live links, including directions related to sensitive physical locations. By using the application, the connection between real-life people and their destination allows the deduction of sensitive private details from their schedule or personal lives.
The proposed countermeasure falls into the cloud services’ field of action – if the cloud services that use URL shorteners would limit URL scanning and increase the security measures by adding extra protective layers, such as design APIs or captchas, the risks would be decreased.
However, the matter of URL shorteners incumbent risks is not new. Online sources from previous years debated the necessary extra security measures, as well as the known types of attacks. The usual measures were to take the shortener providers and examine their security level, to consider the user complaints and consequently react via restrictions that targeted those URL shorteners that did not manage to contain the malicious activities.
A 2014 Avira approach of this matter advised users to “avoid clicking” these beautified links, or to use a URL lengthener before activating the link. We have seen above how previewing the link destination might also help.
Nevertheless, this types of precautionary measures defy one of the main purposes of URL shorteners – the speedy browsing. In a sharing and viral materials’ age, links fly about everywhere; texting, following, posting, all come with speed and information fluidity. It is hard to imagine users meticulously employing previews of their destination webpages each time such a quick information exchange takes place or propagates to yet another user.
URL shorteners – an unwanted vulnerability
To summarize the previous information, as well as the general opinion dominating the latest posts on this matter, URL shorteners are deemed as an appealing solution that unfortunately exposes users to severe cyber-security risks. The vulnerabilities may be even deeper than the researchers from Cornell Tech explored so far.
A software security matter increases exponentially once it reaches the cloud-computing environment – as we stressed out in different materials.
For now, there was an immediate response mechanism employed by Google right after the demo exploit – the URLs generated from the alert moment on will only have 11 or 12 characters and defenses have been deployed in order to limit the scanning of previously created beautified URLs.
